098ded3197153033202e61e38a56813fa42c76f2
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case BitAnd:
103         case BitOr:
104         case BitXor:
105         case BitRShift:
106         case BitLShift:
107         case BitURShift: {
108             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
109                 fixEdge<UntypedUse>(node->child1());
110                 fixEdge<UntypedUse>(node->child2());
111                 break;
112             }
113             fixIntConvertingEdge(node->child1());
114             fixIntConvertingEdge(node->child2());
115             break;
116         }
117
118         case ArithIMul: {
119             fixIntConvertingEdge(node->child1());
120             fixIntConvertingEdge(node->child2());
121             node->setOp(ArithMul);
122             node->setArithMode(Arith::Unchecked);
123             node->child1().setUseKind(Int32Use);
124             node->child2().setUseKind(Int32Use);
125             break;
126         }
127
128         case ArithClz32: {
129             if (node->child1()->shouldSpeculateNotCell()) {
130                 fixIntConvertingEdge(node->child1());
131                 node->clearFlags(NodeMustGenerate);
132             } else
133                 fixEdge<UntypedUse>(node->child1());
134             break;
135         }
136             
137         case UInt32ToNumber: {
138             fixIntConvertingEdge(node->child1());
139             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
140                 node->convertToIdentity();
141             else if (node->canSpeculateInt32(FixupPass))
142                 node->setArithMode(Arith::CheckOverflow);
143             else {
144                 node->setArithMode(Arith::DoOverflow);
145                 node->clearFlags(NodeMustGenerate);
146                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
147             }
148             break;
149         }
150             
151         case ValueAdd: {
152             if (attemptToMakeIntegerAdd(node)) {
153                 node->setOp(ArithAdd);
154                 break;
155             }
156             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
157                 fixDoubleOrBooleanEdge(node->child1());
158                 fixDoubleOrBooleanEdge(node->child2());
159                 node->setOp(ArithAdd);
160                 node->setResult(NodeResultDouble);
161                 break;
162             }
163             
164             if (attemptToMakeFastStringAdd(node))
165                 break;
166
167             Edge& child1 = node->child1();
168             Edge& child2 = node->child2();
169             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
170                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
171                     auto convertString = [&](Node* node, Edge& edge) {
172                         if (edge->shouldSpeculateInt32())
173                             convertStringAddUse<Int32Use>(node, edge);
174                         else {
175                             ASSERT(edge->shouldSpeculateString());
176                             convertStringAddUse<StringUse>(node, edge);
177                         }
178                     };
179                     convertString(node, child1);
180                     convertString(node, child2);
181                     convertToMakeRope(node);
182                     break;
183                 }
184             }
185
186             fixEdge<UntypedUse>(child1);
187             fixEdge<UntypedUse>(child2);
188             node->setResult(NodeResultJS);
189             break;
190         }
191
192         case StrCat: {
193             if (attemptToMakeFastStringAdd(node))
194                 break;
195
196             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
197             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
198             // the implementation of StrCat doesn't dynamically optimize for empty strings.
199             // https://bugs.webkit.org/show_bug.cgi?id=148540
200             m_graph.doToChildren(
201                 node,
202                 [&] (Edge& edge) {
203                     fixEdge<KnownPrimitiveUse>(edge);
204                 });
205             break;
206         }
207             
208         case MakeRope: {
209             fixupMakeRope(node);
210             break;
211         }
212             
213         case ArithAdd:
214         case ArithSub: {
215             if (op == ArithSub
216                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
217                 fixEdge<UntypedUse>(node->child1());
218                 fixEdge<UntypedUse>(node->child2());
219                 node->setResult(NodeResultJS);
220                 break;
221             }
222             if (attemptToMakeIntegerAdd(node))
223                 break;
224             fixDoubleOrBooleanEdge(node->child1());
225             fixDoubleOrBooleanEdge(node->child2());
226             node->setResult(NodeResultDouble);
227             break;
228         }
229             
230         case ArithNegate: {
231             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
232                 fixIntOrBooleanEdge(node->child1());
233                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
234                     node->setArithMode(Arith::Unchecked);
235                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
236                     node->setArithMode(Arith::CheckOverflow);
237                 else
238                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
239                 node->setResult(NodeResultInt32);
240                 node->clearFlags(NodeMustGenerate);
241                 break;
242             }
243             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
244                 fixEdge<Int52RepUse>(node->child1());
245                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
246                     node->setArithMode(Arith::CheckOverflow);
247                 else
248                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
249                 node->setResult(NodeResultInt52);
250                 node->clearFlags(NodeMustGenerate);
251                 break;
252             }
253             if (node->child1()->shouldSpeculateNotCell()) {
254                 fixDoubleOrBooleanEdge(node->child1());
255                 node->setResult(NodeResultDouble);
256                 node->clearFlags(NodeMustGenerate);
257             } else
258                 fixEdge<UntypedUse>(node->child1());
259             break;
260         }
261             
262         case ArithMul: {
263             Edge& leftChild = node->child1();
264             Edge& rightChild = node->child2();
265             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
266                 fixEdge<UntypedUse>(leftChild);
267                 fixEdge<UntypedUse>(rightChild);
268                 node->setResult(NodeResultJS);
269                 break;
270             }
271             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
272                 fixIntOrBooleanEdge(leftChild);
273                 fixIntOrBooleanEdge(rightChild);
274                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
275                     node->setArithMode(Arith::Unchecked);
276                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
277                     || leftChild.node() == rightChild.node())
278                     node->setArithMode(Arith::CheckOverflow);
279                 else
280                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
281                 break;
282             }
283             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
284                 fixEdge<Int52RepUse>(leftChild);
285                 fixEdge<Int52RepUse>(rightChild);
286                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
287                     || leftChild.node() == rightChild.node())
288                     node->setArithMode(Arith::CheckOverflow);
289                 else
290                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
291                 node->setResult(NodeResultInt52);
292                 break;
293             }
294             fixDoubleOrBooleanEdge(leftChild);
295             fixDoubleOrBooleanEdge(rightChild);
296             node->setResult(NodeResultDouble);
297             break;
298         }
299
300         case ArithDiv:
301         case ArithMod: {
302             Edge& leftChild = node->child1();
303             Edge& rightChild = node->child2();
304             if (op == ArithDiv
305                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
306                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
307                 fixEdge<UntypedUse>(leftChild);
308                 fixEdge<UntypedUse>(rightChild);
309                 node->setResult(NodeResultJS);
310                 break;
311             }
312             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
313                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
314                     fixIntOrBooleanEdge(leftChild);
315                     fixIntOrBooleanEdge(rightChild);
316                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
317                         node->setArithMode(Arith::Unchecked);
318                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
319                         node->setArithMode(Arith::CheckOverflow);
320                     else
321                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
322                     break;
323                 }
324                 
325                 // This will cause conversion nodes to be inserted later.
326                 fixDoubleOrBooleanEdge(leftChild);
327                 fixDoubleOrBooleanEdge(rightChild);
328                 
329                 // We don't need to do ref'ing on the children because we're stealing them from
330                 // the original division.
331                 Node* newDivision = m_insertionSet.insertNode(
332                     m_indexInBlock, SpecBytecodeDouble, *node);
333                 newDivision->setResult(NodeResultDouble);
334                 
335                 node->setOp(DoubleAsInt32);
336                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
337                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
338                     node->setArithMode(Arith::CheckOverflow);
339                 else
340                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
341                 break;
342             }
343             fixDoubleOrBooleanEdge(leftChild);
344             fixDoubleOrBooleanEdge(rightChild);
345             node->setResult(NodeResultDouble);
346             break;
347         }
348             
349         case ArithMin:
350         case ArithMax: {
351             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
352                 fixIntOrBooleanEdge(node->child1());
353                 fixIntOrBooleanEdge(node->child2());
354                 break;
355             }
356             fixDoubleOrBooleanEdge(node->child1());
357             fixDoubleOrBooleanEdge(node->child2());
358             node->setResult(NodeResultDouble);
359             break;
360         }
361             
362         case ArithAbs: {
363             if (node->child1()->shouldSpeculateInt32OrBoolean()
364                 && node->canSpeculateInt32(FixupPass)) {
365                 fixIntOrBooleanEdge(node->child1());
366                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
367                     node->setArithMode(Arith::Unchecked);
368                 else
369                     node->setArithMode(Arith::CheckOverflow);
370                 node->clearFlags(NodeMustGenerate);
371                 node->setResult(NodeResultInt32);
372                 break;
373             }
374
375             if (node->child1()->shouldSpeculateNotCell()) {
376                 fixDoubleOrBooleanEdge(node->child1());
377                 node->clearFlags(NodeMustGenerate);
378             } else
379                 fixEdge<UntypedUse>(node->child1());
380             node->setResult(NodeResultDouble);
381             break;
382         }
383
384         case ArithPow: {
385             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
386                 fixDoubleOrBooleanEdge(node->child1());
387                 fixIntOrBooleanEdge(node->child2());
388                 break;
389             }
390
391             fixDoubleOrBooleanEdge(node->child1());
392             fixDoubleOrBooleanEdge(node->child2());
393             break;
394         }
395
396         case ArithRandom: {
397             node->setResult(NodeResultDouble);
398             break;
399         }
400
401         case ArithRound:
402         case ArithFloor:
403         case ArithCeil:
404         case ArithTrunc: {
405             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
406                 fixIntOrBooleanEdge(node->child1());
407                 insertCheck<Int32Use>(node->child1().node());
408                 node->convertToIdentity();
409                 break;
410             }
411             if (node->child1()->shouldSpeculateNotCell()) {
412                 fixDoubleOrBooleanEdge(node->child1());
413
414                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
415                     node->setResult(NodeResultInt32);
416                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
417                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
418                     else
419                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
420                 } else {
421                     node->setResult(NodeResultDouble);
422                     node->setArithRoundingMode(Arith::RoundingMode::Double);
423                 }
424                 node->clearFlags(NodeMustGenerate);
425             } else
426                 fixEdge<UntypedUse>(node->child1());
427             break;
428         }
429
430         case ArithFRound:
431         case ArithSqrt:
432         case ArithUnary: {
433             Edge& child1 = node->child1();
434             if (child1->shouldSpeculateNotCell()) {
435                 fixDoubleOrBooleanEdge(child1);
436                 node->clearFlags(NodeMustGenerate);
437             } else
438                 fixEdge<UntypedUse>(child1);
439             break;
440         }
441             
442         case LogicalNot: {
443             if (node->child1()->shouldSpeculateBoolean()) {
444                 if (node->child1()->result() == NodeResultBoolean) {
445                     // This is necessary in case we have a bytecode instruction implemented by:
446                     //
447                     // a: CompareEq(...)
448                     // b: LogicalNot(@a)
449                     //
450                     // In that case, CompareEq might have a side-effect. Then, we need to make
451                     // sure that we know that Branch does not exit.
452                     fixEdge<KnownBooleanUse>(node->child1());
453                 } else
454                     fixEdge<BooleanUse>(node->child1());
455             } else if (node->child1()->shouldSpeculateObjectOrOther())
456                 fixEdge<ObjectOrOtherUse>(node->child1());
457             else if (node->child1()->shouldSpeculateInt32OrBoolean())
458                 fixIntOrBooleanEdge(node->child1());
459             else if (node->child1()->shouldSpeculateNumber())
460                 fixEdge<DoubleRepUse>(node->child1());
461             else if (node->child1()->shouldSpeculateString())
462                 fixEdge<StringUse>(node->child1());
463             else if (node->child1()->shouldSpeculateStringOrOther())
464                 fixEdge<StringOrOtherUse>(node->child1());
465             else {
466                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
467                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
468                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
469             }
470             break;
471         }
472
473         case CompareEq:
474         case CompareLess:
475         case CompareLessEq:
476         case CompareGreater:
477         case CompareGreaterEq: {
478             if (node->op() == CompareEq
479                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
480                 fixEdge<BooleanUse>(node->child1());
481                 fixEdge<BooleanUse>(node->child2());
482                 node->clearFlags(NodeMustGenerate);
483                 break;
484             }
485             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
486                 fixIntOrBooleanEdge(node->child1());
487                 fixIntOrBooleanEdge(node->child2());
488                 node->clearFlags(NodeMustGenerate);
489                 break;
490             }
491             if (enableInt52()
492                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
493                 fixEdge<Int52RepUse>(node->child1());
494                 fixEdge<Int52RepUse>(node->child2());
495                 node->clearFlags(NodeMustGenerate);
496                 break;
497             }
498             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
499                 fixDoubleOrBooleanEdge(node->child1());
500                 fixDoubleOrBooleanEdge(node->child2());
501             }
502             if (node->op() != CompareEq
503                 && node->child1()->shouldSpeculateNotCell()
504                 && node->child2()->shouldSpeculateNotCell()) {
505                 if (node->child1()->shouldSpeculateNumberOrBoolean())
506                     fixDoubleOrBooleanEdge(node->child1());
507                 else
508                     fixEdge<DoubleRepUse>(node->child1());
509                 if (node->child2()->shouldSpeculateNumberOrBoolean())
510                     fixDoubleOrBooleanEdge(node->child2());
511                 else
512                     fixEdge<DoubleRepUse>(node->child2());
513                 node->clearFlags(NodeMustGenerate);
514                 break;
515             }
516             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
517                 fixEdge<StringIdentUse>(node->child1());
518                 fixEdge<StringIdentUse>(node->child2());
519                 node->clearFlags(NodeMustGenerate);
520                 break;
521             }
522             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
523                 fixEdge<StringUse>(node->child1());
524                 fixEdge<StringUse>(node->child2());
525                 node->clearFlags(NodeMustGenerate);
526                 break;
527             }
528
529             if (node->op() != CompareEq)
530                 break;
531             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
532                 fixEdge<SymbolUse>(node->child1());
533                 fixEdge<SymbolUse>(node->child2());
534                 node->clearFlags(NodeMustGenerate);
535                 break;
536             }
537             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
538                 fixEdge<ObjectUse>(node->child1());
539                 fixEdge<ObjectUse>(node->child2());
540                 node->clearFlags(NodeMustGenerate);
541                 break;
542             }
543
544             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
545             bool oneArgumentIsUsedAsSpecOther = false;
546             if (node->child1()->isUndefinedOrNullConstant()) {
547                 fixEdge<OtherUse>(node->child1());
548                 oneArgumentIsUsedAsSpecOther = true;
549             } else if (node->child1()->shouldSpeculateOther()) {
550                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
551                     Edge(node->child1().node(), OtherUse));
552                 fixEdge<OtherUse>(node->child1());
553                 oneArgumentIsUsedAsSpecOther = true;
554             }
555             if (node->child2()->isUndefinedOrNullConstant()) {
556                 fixEdge<OtherUse>(node->child2());
557                 oneArgumentIsUsedAsSpecOther = true;
558             } else if (node->child2()->shouldSpeculateOther()) {
559                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
560                     Edge(node->child2().node(), OtherUse));
561                 fixEdge<OtherUse>(node->child2());
562                 oneArgumentIsUsedAsSpecOther = true;
563             }
564             if (oneArgumentIsUsedAsSpecOther) {
565                 node->clearFlags(NodeMustGenerate);
566                 break;
567             }
568
569             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
570                 fixEdge<ObjectUse>(node->child1());
571                 fixEdge<ObjectOrOtherUse>(node->child2());
572                 node->clearFlags(NodeMustGenerate);
573                 break;
574             }
575             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
576                 fixEdge<ObjectOrOtherUse>(node->child1());
577                 fixEdge<ObjectUse>(node->child2());
578                 node->clearFlags(NodeMustGenerate);
579                 break;
580             }
581
582             break;
583         }
584             
585         case CompareStrictEq: {
586             if (Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
587                 fixEdge<BooleanUse>(node->child1());
588                 fixEdge<BooleanUse>(node->child2());
589                 break;
590             }
591             if (Node::shouldSpeculateInt32(node->child1().node(), node->child2().node())) {
592                 fixEdge<Int32Use>(node->child1());
593                 fixEdge<Int32Use>(node->child2());
594                 break;
595             }
596             if (enableInt52()
597                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
598                 fixEdge<Int52RepUse>(node->child1());
599                 fixEdge<Int52RepUse>(node->child2());
600                 break;
601             }
602             if (Node::shouldSpeculateNumber(node->child1().node(), node->child2().node())) {
603                 fixEdge<DoubleRepUse>(node->child1());
604                 fixEdge<DoubleRepUse>(node->child2());
605                 break;
606             }
607             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
608                 fixEdge<SymbolUse>(node->child1());
609                 fixEdge<SymbolUse>(node->child2());
610                 break;
611             }
612             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
613                 fixEdge<StringIdentUse>(node->child1());
614                 fixEdge<StringIdentUse>(node->child2());
615                 break;
616             }
617             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 7) || isFTL(m_graph.m_plan.mode))) {
618                 fixEdge<StringUse>(node->child1());
619                 fixEdge<StringUse>(node->child2());
620                 break;
621             }
622             WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
623             if (masqueradesAsUndefinedWatchpoint->isStillValid()) {
624                 
625                 if (node->child1()->shouldSpeculateObject()) {
626                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
627                     fixEdge<ObjectUse>(node->child1());
628                     break;
629                 }
630                 if (node->child2()->shouldSpeculateObject()) {
631                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
632                     fixEdge<ObjectUse>(node->child2());
633                     break;
634                 }
635                 
636             } else if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
637                 fixEdge<ObjectUse>(node->child1());
638                 fixEdge<ObjectUse>(node->child2());
639                 break;
640             }
641             if (node->child1()->shouldSpeculateSymbol()) {
642                 fixEdge<SymbolUse>(node->child1());
643                 break;
644             }
645             if (node->child2()->shouldSpeculateSymbol()) {
646                 fixEdge<SymbolUse>(node->child2());
647                 break;
648             }
649             if (node->child1()->shouldSpeculateMisc()) {
650                 fixEdge<MiscUse>(node->child1());
651                 break;
652             }
653             if (node->child2()->shouldSpeculateMisc()) {
654                 fixEdge<MiscUse>(node->child2());
655                 break;
656             }
657             if (node->child1()->shouldSpeculateStringIdent()
658                 && node->child2()->shouldSpeculateNotStringVar()) {
659                 fixEdge<StringIdentUse>(node->child1());
660                 fixEdge<NotStringVarUse>(node->child2());
661                 break;
662             }
663             if (node->child2()->shouldSpeculateStringIdent()
664                 && node->child1()->shouldSpeculateNotStringVar()) {
665                 fixEdge<StringIdentUse>(node->child2());
666                 fixEdge<NotStringVarUse>(node->child1());
667                 break;
668             }
669             if (node->child1()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
670                 fixEdge<StringUse>(node->child1());
671                 break;
672             }
673             if (node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
674                 fixEdge<StringUse>(node->child2());
675                 break;
676             }
677             break;
678         }
679             
680         case StringFromCharCode:
681             if (node->child1()->shouldSpeculateInt32())
682                 fixEdge<Int32Use>(node->child1());
683             else
684                 fixEdge<UntypedUse>(node->child1());
685             break;
686
687         case StringCharAt:
688         case StringCharCodeAt: {
689             // Currently we have no good way of refining these.
690             ASSERT(node->arrayMode() == ArrayMode(Array::String));
691             blessArrayOperation(node->child1(), node->child2(), node->child3());
692             fixEdge<KnownCellUse>(node->child1());
693             fixEdge<Int32Use>(node->child2());
694             break;
695         }
696
697         case GetByVal: {
698             if (!node->prediction()) {
699                 m_insertionSet.insertNode(
700                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
701             }
702             
703             node->setArrayMode(
704                 node->arrayMode().refine(
705                     m_graph, node,
706                     node->child1()->prediction(),
707                     node->child2()->prediction(),
708                     SpecNone));
709             
710             blessArrayOperation(node->child1(), node->child2(), node->child3());
711             
712             ArrayMode arrayMode = node->arrayMode();
713             switch (arrayMode.type()) {
714             case Array::Contiguous:
715             case Array::Double:
716                 if (arrayMode.arrayClass() == Array::OriginalArray
717                     && arrayMode.speculation() == Array::InBounds) {
718                     JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
719                     if (globalObject->arrayPrototypeChainIsSane()) {
720                         // Check if SaneChain will work on a per-type basis. Note that:
721                         //
722                         // 1) We don't want double arrays to sometimes return undefined, since
723                         // that would require a change to the return type and it would pessimise
724                         // things a lot. So, we'd only want to do that if we actually had
725                         // evidence that we could read from a hole. That's pretty annoying.
726                         // Likely the best way to handle that case is with an equivalent of
727                         // SaneChain for OutOfBounds. For now we just detect when Undefined and
728                         // NaN are indistinguishable according to backwards propagation, and just
729                         // use SaneChain in that case. This happens to catch a lot of cases.
730                         //
731                         // 2) We don't want int32 array loads to have to do a hole check just to
732                         // coerce to Undefined, since that would mean twice the checks.
733                         //
734                         // This has two implications. First, we have to do more checks than we'd
735                         // like. It's unfortunate that we have to do the hole check. Second,
736                         // some accesses that hit a hole will now need to take the full-blown
737                         // out-of-bounds slow path. We can fix that with:
738                         // https://bugs.webkit.org/show_bug.cgi?id=144668
739                         
740                         bool canDoSaneChain = false;
741                         switch (arrayMode.type()) {
742                         case Array::Contiguous:
743                             // This is happens to be entirely natural. We already would have
744                             // returned any JSValue, and now we'll return Undefined. We still do
745                             // the check but it doesn't require taking any kind of slow path.
746                             canDoSaneChain = true;
747                             break;
748                             
749                         case Array::Double:
750                             if (!(node->flags() & NodeBytecodeUsesAsOther)) {
751                                 // Holes look like NaN already, so if the user doesn't care
752                                 // about the difference between Undefined and NaN then we can
753                                 // do this.
754                                 canDoSaneChain = true;
755                             }
756                             break;
757                             
758                         default:
759                             break;
760                         }
761                         
762                         if (canDoSaneChain) {
763                             m_graph.watchpoints().addLazily(
764                                 globalObject->arrayPrototype()->structure()->transitionWatchpointSet());
765                             m_graph.watchpoints().addLazily(
766                                 globalObject->objectPrototype()->structure()->transitionWatchpointSet());
767                             if (globalObject->arrayPrototypeChainIsSane())
768                                 node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
769                         }
770                     }
771                 }
772                 break;
773                 
774             case Array::String:
775                 if ((node->prediction() & ~SpecString)
776                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
777                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
778                 break;
779                 
780             default:
781                 break;
782             }
783             
784             arrayMode = node->arrayMode();
785             switch (arrayMode.type()) {
786             case Array::SelectUsingPredictions:
787             case Array::Unprofiled:
788                 RELEASE_ASSERT_NOT_REACHED();
789                 break;
790             case Array::Generic:
791                 if (node->child1()->shouldSpeculateObject()) {
792                     if (node->child2()->shouldSpeculateString()) {
793                         fixEdge<ObjectUse>(node->child1());
794                         fixEdge<StringUse>(node->child2());
795                         break;
796                     }
797
798                     if (node->child2()->shouldSpeculateSymbol()) {
799                         fixEdge<ObjectUse>(node->child1());
800                         fixEdge<SymbolUse>(node->child2());
801                         break;
802                     }
803                 }
804 #if USE(JSVALUE32_64)
805                 fixEdge<CellUse>(node->child1()); // Speculating cell due to register pressure on 32-bit.
806 #endif
807                 break;
808             case Array::ForceExit:
809                 break;
810             default:
811                 fixEdge<KnownCellUse>(node->child1());
812                 fixEdge<Int32Use>(node->child2());
813                 break;
814             }
815             
816             switch (arrayMode.type()) {
817             case Array::Double:
818                 if (!arrayMode.isOutOfBounds())
819                     node->setResult(NodeResultDouble);
820                 break;
821                 
822             case Array::Float32Array:
823             case Array::Float64Array:
824                 node->setResult(NodeResultDouble);
825                 break;
826                 
827             case Array::Uint32Array:
828                 if (node->shouldSpeculateInt32())
829                     break;
830                 if (node->shouldSpeculateAnyInt() && enableInt52())
831                     node->setResult(NodeResultInt52);
832                 else
833                     node->setResult(NodeResultDouble);
834                 break;
835                 
836             default:
837                 break;
838             }
839             
840             break;
841         }
842
843         case PutByValDirect:
844         case PutByVal:
845         case PutByValAlias: {
846             Edge& child1 = m_graph.varArgChild(node, 0);
847             Edge& child2 = m_graph.varArgChild(node, 1);
848             Edge& child3 = m_graph.varArgChild(node, 2);
849
850             node->setArrayMode(
851                 node->arrayMode().refine(
852                     m_graph, node,
853                     child1->prediction(),
854                     child2->prediction(),
855                     child3->prediction()));
856             
857             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
858             
859             switch (node->arrayMode().modeForPut().type()) {
860             case Array::SelectUsingPredictions:
861             case Array::SelectUsingArguments:
862             case Array::Unprofiled:
863             case Array::Undecided:
864                 RELEASE_ASSERT_NOT_REACHED();
865                 break;
866             case Array::ForceExit:
867             case Array::Generic:
868                 if (child1->shouldSpeculateCell()) {
869                     if (child2->shouldSpeculateString()) {
870                         fixEdge<CellUse>(child1);
871                         fixEdge<StringUse>(child2);
872                         break;
873                     }
874
875                     if (child2->shouldSpeculateSymbol()) {
876                         fixEdge<CellUse>(child1);
877                         fixEdge<SymbolUse>(child2);
878                         break;
879                     }
880                 }
881 #if USE(JSVALUE32_64)
882                 // Due to register pressure on 32-bit, we speculate cell and
883                 // ignore the base-is-not-cell case entirely by letting the
884                 // baseline JIT handle it.
885                 fixEdge<CellUse>(child1);
886 #endif
887                 break;
888             case Array::Int32:
889                 fixEdge<KnownCellUse>(child1);
890                 fixEdge<Int32Use>(child2);
891                 fixEdge<Int32Use>(child3);
892                 break;
893             case Array::Double:
894                 fixEdge<KnownCellUse>(child1);
895                 fixEdge<Int32Use>(child2);
896                 fixEdge<DoubleRepRealUse>(child3);
897                 break;
898             case Array::Int8Array:
899             case Array::Int16Array:
900             case Array::Int32Array:
901             case Array::Uint8Array:
902             case Array::Uint8ClampedArray:
903             case Array::Uint16Array:
904             case Array::Uint32Array:
905                 fixEdge<KnownCellUse>(child1);
906                 fixEdge<Int32Use>(child2);
907                 if (child3->shouldSpeculateInt32())
908                     fixIntOrBooleanEdge(child3);
909                 else if (child3->shouldSpeculateAnyInt())
910                     fixEdge<Int52RepUse>(child3);
911                 else
912                     fixDoubleOrBooleanEdge(child3);
913                 break;
914             case Array::Float32Array:
915             case Array::Float64Array:
916                 fixEdge<KnownCellUse>(child1);
917                 fixEdge<Int32Use>(child2);
918                 fixDoubleOrBooleanEdge(child3);
919                 break;
920             case Array::Contiguous:
921             case Array::ArrayStorage:
922             case Array::SlowPutArrayStorage:
923                 fixEdge<KnownCellUse>(child1);
924                 fixEdge<Int32Use>(child2);
925                 speculateForBarrier(child3);
926                 break;
927             default:
928                 fixEdge<KnownCellUse>(child1);
929                 fixEdge<Int32Use>(child2);
930                 break;
931             }
932             break;
933         }
934             
935         case AtomicsAdd:
936         case AtomicsAnd:
937         case AtomicsCompareExchange:
938         case AtomicsExchange:
939         case AtomicsLoad:
940         case AtomicsOr:
941         case AtomicsStore:
942         case AtomicsSub:
943         case AtomicsXor: {
944             Edge& base = m_graph.child(node, 0);
945             Edge& index = m_graph.child(node, 1);
946             
947             bool badNews = false;
948             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
949                 Edge& child = m_graph.child(node, 2 + i);
950                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
951                 // just call the function when that happens. But the FTL is totally cool with those
952                 // conversions.
953                 if (!child->shouldSpeculateInt32()
954                     && !child->shouldSpeculateAnyInt()
955                     && !(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode)))
956                     badNews = true;
957             }
958             
959             if (badNews) {
960                 node->setArrayMode(ArrayMode(Array::Generic));
961                 break;
962             }
963             
964             node->setArrayMode(
965                 node->arrayMode().refine(
966                     m_graph, node, base->prediction(), index->prediction()));
967             
968             if (node->arrayMode().type() == Array::Generic)
969                 break;
970             
971             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
972                 Edge& child = m_graph.child(node, 2 + i);
973                 if (child->shouldSpeculateInt32())
974                     fixIntOrBooleanEdge(child);
975                 else if (child->shouldSpeculateAnyInt())
976                     fixEdge<Int52RepUse>(child);
977                 else {
978                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode));
979                     fixDoubleOrBooleanEdge(child);
980                 }
981             }
982             
983             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
984             fixEdge<CellUse>(base);
985             fixEdge<Int32Use>(index);
986             
987             if (node->arrayMode().type() == Array::Uint32Array) {
988                 // NOTE: This means basically always doing Int52.
989                 if (node->shouldSpeculateAnyInt() && enableInt52())
990                     node->setResult(NodeResultInt52);
991                 else
992                     node->setResult(NodeResultDouble);
993             }
994             break;
995         }
996             
997         case AtomicsIsLockFree:
998             if (node->child1()->shouldSpeculateInt32())
999                 fixIntOrBooleanEdge(node->child1());
1000             break;
1001             
1002         case ArrayPush: {
1003             // May need to refine the array mode in case the value prediction contravenes
1004             // the array prediction. For example, we may have evidence showing that the
1005             // array is in Int32 mode, but the value we're storing is likely to be a double.
1006             // Then we should turn this into a conversion to Double array followed by the
1007             // push. On the other hand, we absolutely don't want to refine based on the
1008             // base prediction. If it has non-cell garbage in it, then we want that to be
1009             // ignored. That's because ArrayPush can't handle any array modes that aren't
1010             // array-related - so if refine() turned this into a "Generic" ArrayPush then
1011             // that would break things.
1012             Edge& storageEdge = m_graph.varArgChild(node, 0);
1013             Edge& arrayEdge = m_graph.varArgChild(node, 1);
1014             unsigned elementOffset = 2;
1015             unsigned elementCount = node->numChildren() - elementOffset;
1016             for (unsigned i = 0; i < elementCount; ++i) {
1017                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1018                 node->setArrayMode(
1019                     node->arrayMode().refine(
1020                         m_graph, node,
1021                         arrayEdge->prediction() & SpecCell,
1022                         SpecInt32Only,
1023                         element->prediction()));
1024             }
1025             blessArrayOperation(arrayEdge, Edge(), storageEdge);
1026             fixEdge<KnownCellUse>(arrayEdge);
1027
1028             // Convert `array.push()` to GetArrayLength.
1029             ASSERT(node->arrayMode().supportsSelfLength());
1030             if (!elementCount) {
1031                 node->setOpAndDefaultFlags(GetArrayLength);
1032                 node->child1() = arrayEdge;
1033                 node->child2() = storageEdge;
1034                 fixEdge<KnownCellUse>(node->child1());
1035                 break;
1036             }
1037
1038             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
1039             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
1040             for (unsigned i = 0; i < elementCount; ++i) {
1041                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1042                 switch (node->arrayMode().type()) {
1043                 case Array::Int32:
1044                     insertCheck<Int32Use>(element.node());
1045                     fixEdge<KnownInt32Use>(element);
1046                     break;
1047                 case Array::Double:
1048                     insertCheck<DoubleRepRealUse>(element.node());
1049                     fixEdge<DoubleRepUse>(element);
1050                     break;
1051                 case Array::Contiguous:
1052                 case Array::ArrayStorage:
1053                     speculateForBarrier(element);
1054                     break;
1055                 default:
1056                     RELEASE_ASSERT_NOT_REACHED();
1057                 }
1058                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
1059             }
1060             break;
1061         }
1062             
1063         case ArrayPop: {
1064             blessArrayOperation(node->child1(), Edge(), node->child2());
1065             fixEdge<KnownCellUse>(node->child1());
1066             break;
1067         }
1068
1069         case ArraySlice: {
1070             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1071             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1072             if (node->numChildren() == 4)
1073                 fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1074             break;
1075         }
1076
1077         case ArrayIndexOf:
1078             fixupArrayIndexOf(node);
1079             break;
1080             
1081         case RegExpExec:
1082         case RegExpTest: {
1083             fixEdge<KnownCellUse>(node->child1());
1084             
1085             if (node->child2()->shouldSpeculateRegExpObject()) {
1086                 fixEdge<RegExpObjectUse>(node->child2());
1087
1088                 if (node->child3()->shouldSpeculateString())
1089                     fixEdge<StringUse>(node->child3());
1090             }
1091             break;
1092         }
1093
1094         case StringReplace:
1095         case StringReplaceRegExp: {
1096             if (node->child2()->shouldSpeculateString()) {
1097                 m_insertionSet.insertNode(
1098                     m_indexInBlock, SpecNone, Check, node->origin,
1099                     Edge(node->child2().node(), StringUse));
1100                 fixEdge<StringUse>(node->child2());
1101             } else if (op == StringReplace) {
1102                 if (node->child2()->shouldSpeculateRegExpObject())
1103                     addStringReplacePrimordialChecks(node->child2().node());
1104                 else 
1105                     m_insertionSet.insertNode(
1106                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1107             }
1108
1109             if (node->child1()->shouldSpeculateString()
1110                 && node->child2()->shouldSpeculateRegExpObject()
1111                 && node->child3()->shouldSpeculateString()) {
1112
1113                 fixEdge<StringUse>(node->child1());
1114                 fixEdge<RegExpObjectUse>(node->child2());
1115                 fixEdge<StringUse>(node->child3());
1116                 break;
1117             }
1118             break;
1119         }
1120             
1121         case Branch: {
1122             if (node->child1()->shouldSpeculateBoolean()) {
1123                 if (node->child1()->result() == NodeResultBoolean) {
1124                     // This is necessary in case we have a bytecode instruction implemented by:
1125                     //
1126                     // a: CompareEq(...)
1127                     // b: Branch(@a)
1128                     //
1129                     // In that case, CompareEq might have a side-effect. Then, we need to make
1130                     // sure that we know that Branch does not exit.
1131                     fixEdge<KnownBooleanUse>(node->child1());
1132                 } else
1133                     fixEdge<BooleanUse>(node->child1());
1134             } else if (node->child1()->shouldSpeculateObjectOrOther())
1135                 fixEdge<ObjectOrOtherUse>(node->child1());
1136             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1137                 fixIntOrBooleanEdge(node->child1());
1138             else if (node->child1()->shouldSpeculateNumber())
1139                 fixEdge<DoubleRepUse>(node->child1());
1140             else if (node->child1()->shouldSpeculateString())
1141                 fixEdge<StringUse>(node->child1());
1142             else if (node->child1()->shouldSpeculateStringOrOther())
1143                 fixEdge<StringOrOtherUse>(node->child1());
1144             else {
1145                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1146                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1147                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1148             }
1149             break;
1150         }
1151             
1152         case Switch: {
1153             SwitchData* data = node->switchData();
1154             switch (data->kind) {
1155             case SwitchImm:
1156                 if (node->child1()->shouldSpeculateInt32())
1157                     fixEdge<Int32Use>(node->child1());
1158                 break;
1159             case SwitchChar:
1160                 if (node->child1()->shouldSpeculateString())
1161                     fixEdge<StringUse>(node->child1());
1162                 break;
1163             case SwitchString:
1164                 if (node->child1()->shouldSpeculateStringIdent())
1165                     fixEdge<StringIdentUse>(node->child1());
1166                 else if (node->child1()->shouldSpeculateString())
1167                     fixEdge<StringUse>(node->child1());
1168                 break;
1169             case SwitchCell:
1170                 if (node->child1()->shouldSpeculateCell())
1171                     fixEdge<CellUse>(node->child1());
1172                 // else it's fine for this to have UntypedUse; we will handle this by just making
1173                 // non-cells take the default case.
1174                 break;
1175             }
1176             break;
1177         }
1178             
1179         case ToPrimitive: {
1180             fixupToPrimitive(node);
1181             break;
1182         }
1183
1184         case ToNumber: {
1185             fixupToNumber(node);
1186             break;
1187         }
1188             
1189         case ToString:
1190         case CallStringConstructor: {
1191             fixupToStringOrCallStringConstructor(node);
1192             break;
1193         }
1194             
1195         case NewStringObject: {
1196             fixEdge<KnownStringUse>(node->child1());
1197             break;
1198         }
1199
1200         case NewArrayWithSpread: {
1201             watchHavingABadTime(node);
1202             
1203             BitVector* bitVector = node->bitVector();
1204             for (unsigned i = node->numChildren(); i--;) {
1205                 if (bitVector->get(i))
1206                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1207                 else
1208                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1209             }
1210
1211             break;
1212         }
1213
1214         case Spread: {
1215             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1216             
1217             watchHavingABadTime(node->child1().node());
1218
1219             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1220             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1221             // that it doesn't contain any indexed properties, and that any holes will result in
1222             // jsUndefined().
1223             InlineWatchpointSet& objectPrototypeTransition = globalObject->objectPrototype()->structure()->transitionWatchpointSet();
1224             InlineWatchpointSet& arrayPrototypeTransition = globalObject->arrayPrototype()->structure()->transitionWatchpointSet();
1225             if (node->child1()->shouldSpeculateArray() 
1226                 && arrayPrototypeTransition.isStillValid() 
1227                 && objectPrototypeTransition.isStillValid() 
1228                 && globalObject->arrayPrototypeChainIsSane()
1229                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1230                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1231                 m_graph.watchpoints().addLazily(objectPrototypeTransition);
1232                 m_graph.watchpoints().addLazily(arrayPrototypeTransition);
1233                 fixEdge<ArrayUse>(node->child1());
1234             } else
1235                 fixEdge<CellUse>(node->child1());
1236             break;
1237         }
1238             
1239         case NewArray: {
1240             watchHavingABadTime(node);
1241             
1242             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1243                 node->setIndexingType(
1244                     leastUpperBoundOfIndexingTypeAndType(
1245                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1246             }
1247             switch (node->indexingType()) {
1248             case ALL_BLANK_INDEXING_TYPES:
1249                 CRASH();
1250                 break;
1251             case ALL_UNDECIDED_INDEXING_TYPES:
1252                 if (node->numChildren()) {
1253                     // This will only happen if the children have no type predictions. We
1254                     // would have already exited by now, but insert a forced exit just to
1255                     // be safe.
1256                     m_insertionSet.insertNode(
1257                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1258                 }
1259                 break;
1260             case ALL_INT32_INDEXING_TYPES:
1261                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1262                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1263                 break;
1264             case ALL_DOUBLE_INDEXING_TYPES:
1265                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1266                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1267                 break;
1268             case ALL_CONTIGUOUS_INDEXING_TYPES:
1269             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1270                 break;
1271             default:
1272                 CRASH();
1273                 break;
1274             }
1275             break;
1276         }
1277             
1278         case NewTypedArray: {
1279             watchHavingABadTime(node);
1280             
1281             if (node->child1()->shouldSpeculateInt32()) {
1282                 fixEdge<Int32Use>(node->child1());
1283                 node->clearFlags(NodeMustGenerate);
1284                 break;
1285             }
1286             break;
1287         }
1288             
1289         case NewArrayWithSize: {
1290             watchHavingABadTime(node);
1291             fixEdge<Int32Use>(node->child1());
1292             break;
1293         }
1294
1295         case NewArrayBuffer: {
1296             watchHavingABadTime(node);
1297             break;
1298         }
1299
1300         case CallObjectConstructor: {
1301             if (node->child1()->shouldSpeculateObject()) {
1302                 fixEdge<ObjectUse>(node->child1());
1303                 node->convertToIdentity();
1304                 break;
1305             }
1306
1307             fixEdge<UntypedUse>(node->child1());
1308             break;
1309         }
1310
1311         case ToThis: {
1312             fixupToThis(node);
1313             break;
1314         }
1315             
1316         case PutStructure: {
1317             fixEdge<KnownCellUse>(node->child1());
1318             break;
1319         }
1320             
1321         case GetClosureVar:
1322         case GetFromArguments: {
1323             fixEdge<KnownCellUse>(node->child1());
1324             break;
1325         }
1326
1327         case PutClosureVar:
1328         case PutToArguments: {
1329             fixEdge<KnownCellUse>(node->child1());
1330             speculateForBarrier(node->child2());
1331             break;
1332         }
1333
1334         case SkipScope:
1335         case GetScope:
1336         case GetGetter:
1337         case GetSetter:
1338         case GetGlobalObject: {
1339             fixEdge<KnownCellUse>(node->child1());
1340             break;
1341         }
1342             
1343         case AllocatePropertyStorage:
1344         case ReallocatePropertyStorage: {
1345             fixEdge<KnownCellUse>(node->child1());
1346             break;
1347         }
1348             
1349         case NukeStructureAndSetButterfly: {
1350             fixEdge<KnownCellUse>(node->child1());
1351             break;
1352         }
1353
1354         case TryGetById: {
1355             if (node->child1()->shouldSpeculateCell())
1356                 fixEdge<CellUse>(node->child1());
1357             break;
1358         }
1359
1360         case GetById:
1361         case GetByIdFlush: {
1362             // FIXME: This should be done in the ByteCodeParser based on reading the
1363             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1364             // https://bugs.webkit.org/show_bug.cgi?id=154990
1365             auto uid = m_graph.identifiers()[node->identifierNumber()];
1366             if (node->child1()->shouldSpeculateCellOrOther()
1367                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1368                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1369                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1370                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1371                 
1372                 if (uid == vm().propertyNames->length.impl()) {
1373                     attemptToMakeGetArrayLength(node);
1374                     break;
1375                 }
1376
1377                 if (uid == vm().propertyNames->lastIndex.impl()
1378                     && node->child1()->shouldSpeculateRegExpObject()) {
1379                     node->setOp(GetRegExpObjectLastIndex);
1380                     node->clearFlags(NodeMustGenerate);
1381                     fixEdge<RegExpObjectUse>(node->child1());
1382                     break;
1383                 }
1384             }
1385
1386             if (node->child1()->shouldSpeculateNumber()) {
1387                 if (uid == vm().propertyNames->toString.impl()) {
1388                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1389                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1390                         if (node->child1()->shouldSpeculateInt32()) {
1391                             insertCheck<Int32Use>(node->child1().node());
1392                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1393                             break;
1394                         }
1395
1396                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1397                             insertCheck<Int52RepUse>(node->child1().node());
1398                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1399                             break;
1400                         }
1401
1402                         ASSERT(node->child1()->shouldSpeculateNumber());
1403                         insertCheck<DoubleRepUse>(node->child1().node());
1404                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1405                         break;
1406                     }
1407                 }
1408             }
1409
1410             if (node->child1()->shouldSpeculateCell())
1411                 fixEdge<CellUse>(node->child1());
1412             break;
1413         }
1414         
1415         case GetByIdWithThis: {
1416             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1417                 fixEdge<CellUse>(node->child1());
1418                 fixEdge<CellUse>(node->child2());
1419             }
1420             break;
1421         }
1422
1423         case PutById:
1424         case PutByIdFlush:
1425         case PutByIdDirect: {
1426             if (node->child1()->shouldSpeculateCellOrOther()
1427                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1428                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1429                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1430                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1431                 
1432                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1433                 
1434                 if (uid == vm().propertyNames->lastIndex.impl()
1435                     && node->child1()->shouldSpeculateRegExpObject()) {
1436                     node->setOp(SetRegExpObjectLastIndex);
1437                     fixEdge<RegExpObjectUse>(node->child1());
1438                     speculateForBarrier(node->child2());
1439                     break;
1440                 }
1441             }
1442             
1443             fixEdge<CellUse>(node->child1());
1444             break;
1445         }
1446
1447         case PutGetterById:
1448         case PutSetterById: {
1449             fixEdge<KnownCellUse>(node->child1());
1450             fixEdge<KnownCellUse>(node->child2());
1451             break;
1452         }
1453
1454         case PutGetterSetterById: {
1455             fixEdge<KnownCellUse>(node->child1());
1456             break;
1457         }
1458
1459         case PutGetterByVal:
1460         case PutSetterByVal: {
1461             fixEdge<KnownCellUse>(node->child1());
1462             fixEdge<KnownCellUse>(node->child3());
1463             break;
1464         }
1465
1466         case GetExecutable: {
1467             fixEdge<FunctionUse>(node->child1());
1468             break;
1469         }
1470
1471         case OverridesHasInstance:
1472         case CheckStructure:
1473         case CheckCell:
1474         case CreateThis:
1475         case GetButterfly:
1476         case GetButterflyWithoutCaging: {
1477             fixEdge<CellUse>(node->child1());
1478             break;
1479         }
1480
1481         case CheckStringIdent: {
1482             fixEdge<StringIdentUse>(node->child1());
1483             break;
1484         }
1485             
1486         case Arrayify:
1487         case ArrayifyToStructure: {
1488             fixEdge<CellUse>(node->child1());
1489             if (node->child2())
1490                 fixEdge<Int32Use>(node->child2());
1491             break;
1492         }
1493             
1494         case GetByOffset:
1495         case GetGetterSetterByOffset: {
1496             if (!node->child1()->hasStorageResult())
1497                 fixEdge<KnownCellUse>(node->child1());
1498             fixEdge<KnownCellUse>(node->child2());
1499             break;
1500         }
1501             
1502         case MultiGetByOffset: {
1503             fixEdge<CellUse>(node->child1());
1504             break;
1505         }
1506             
1507         case PutByOffset: {
1508             if (!node->child1()->hasStorageResult())
1509                 fixEdge<KnownCellUse>(node->child1());
1510             fixEdge<KnownCellUse>(node->child2());
1511             unsigned index = indexForChecks();
1512             insertInferredTypeCheck(
1513                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1514                 node->storageAccessData().inferredType);
1515             speculateForBarrier(node->child3());
1516             break;
1517         }
1518             
1519         case MultiPutByOffset: {
1520             fixEdge<CellUse>(node->child1());
1521             break;
1522         }
1523             
1524         case InstanceOf: {
1525             if (!(node->child1()->prediction() & ~SpecCell))
1526                 fixEdge<CellUse>(node->child1());
1527             fixEdge<CellUse>(node->child2());
1528             break;
1529         }
1530
1531         case InstanceOfCustom:
1532             fixEdge<CellUse>(node->child2());
1533             break;
1534
1535         case In: {
1536             if (node->child2()->shouldSpeculateInt32()) {
1537                 convertToHasIndexedProperty(node);
1538                 break;
1539             }
1540
1541             fixEdge<CellUse>(node->child1());
1542             break;
1543         }
1544
1545         case HasOwnProperty: {
1546             fixEdge<ObjectUse>(node->child1());
1547 #if (CPU(X86) || CPU(MIPS)) && USE(JSVALUE32_64)
1548             // We don't have enough registers to do anything interesting on x86 and mips.
1549             fixEdge<UntypedUse>(node->child2());
1550 #else
1551             if (node->child2()->shouldSpeculateString())
1552                 fixEdge<StringUse>(node->child2());
1553             else if (node->child2()->shouldSpeculateSymbol())
1554                 fixEdge<SymbolUse>(node->child2());
1555             else
1556                 fixEdge<UntypedUse>(node->child2());
1557 #endif
1558             break;
1559         }
1560
1561         case Check: {
1562             m_graph.doToChildren(
1563                 node,
1564                 [&] (Edge& edge) {
1565                     switch (edge.useKind()) {
1566                     case NumberUse:
1567                         if (edge->shouldSpeculateInt32ForArithmetic())
1568                             edge.setUseKind(Int32Use);
1569                         break;
1570                     default:
1571                         break;
1572                     }
1573                     observeUseKindOnEdge(edge);
1574                 });
1575             break;
1576         }
1577
1578         case Phantom:
1579             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1580             node->remove();
1581             break;
1582
1583         case FiatInt52: {
1584             RELEASE_ASSERT(enableInt52());
1585             node->convertToIdentity();
1586             fixEdge<Int52RepUse>(node->child1());
1587             node->setResult(NodeResultInt52);
1588             break;
1589         }
1590
1591         case GetArrayLength: {
1592             fixEdge<KnownCellUse>(node->child1());
1593             break;
1594         }
1595
1596         case GetTypedArrayByteOffset: {
1597             fixEdge<KnownCellUse>(node->child1());
1598             break;
1599         }
1600
1601         case Phi:
1602         case Upsilon:
1603         case EntrySwitch:
1604         case GetIndexedPropertyStorage:
1605         case LastNodeType:
1606         case CheckTierUpInLoop:
1607         case CheckTierUpAtReturn:
1608         case CheckTierUpAndOSREnter:
1609         case InvalidationPoint:
1610         case CheckArray:
1611         case CheckInBounds:
1612         case ConstantStoragePointer:
1613         case DoubleAsInt32:
1614         case ValueToInt32:
1615         case DoubleRep:
1616         case ValueRep:
1617         case Int52Rep:
1618         case Int52Constant:
1619         case Identity: // This should have been cleaned up.
1620         case BooleanToNumber:
1621         case PhantomNewObject:
1622         case PhantomNewFunction:
1623         case PhantomNewGeneratorFunction:
1624         case PhantomNewAsyncGeneratorFunction:
1625         case PhantomNewAsyncFunction:
1626         case PhantomCreateActivation:
1627         case PhantomDirectArguments:
1628         case PhantomCreateRest:
1629         case PhantomSpread:
1630         case PhantomNewArrayWithSpread:
1631         case PhantomClonedArguments:
1632         case GetMyArgumentByVal:
1633         case GetMyArgumentByValOutOfBounds:
1634         case GetVectorLength:
1635         case PutHint:
1636         case CheckStructureImmediate:
1637         case CheckStructureOrEmpty:
1638         case MaterializeNewObject:
1639         case MaterializeCreateActivation:
1640         case PutStack:
1641         case KillStack:
1642         case GetStack:
1643         case StoreBarrier:
1644         case FencedStoreBarrier:
1645         case GetRegExpObjectLastIndex:
1646         case SetRegExpObjectLastIndex:
1647         case RecordRegExpCachedResult:
1648             // These are just nodes that we don't currently expect to see during fixup.
1649             // If we ever wanted to insert them prior to fixup, then we just have to create
1650             // fixup rules for them.
1651             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1652             break;
1653
1654         case PutGlobalVariable: {
1655             fixEdge<CellUse>(node->child1());
1656             speculateForBarrier(node->child2());
1657             break;
1658         }
1659
1660         case IsObject:
1661             if (node->child1()->shouldSpeculateObject()) {
1662                 m_insertionSet.insertNode(
1663                     m_indexInBlock, SpecNone, Check, node->origin,
1664                     Edge(node->child1().node(), ObjectUse));
1665                 m_graph.convertToConstant(node, jsBoolean(true));
1666                 observeUseKindOnNode<ObjectUse>(node);
1667             }
1668             break;
1669
1670         case IsCellWithType: {
1671             fixupIsCellWithType(node);
1672             break;
1673         }
1674
1675         case GetEnumerableLength: {
1676             fixEdge<CellUse>(node->child1());
1677             break;
1678         }
1679         case HasGenericProperty: {
1680             fixEdge<CellUse>(node->child2());
1681             break;
1682         }
1683         case HasStructureProperty: {
1684             fixEdge<StringUse>(node->child2());
1685             fixEdge<KnownCellUse>(node->child3());
1686             break;
1687         }
1688         case HasIndexedProperty: {
1689             node->setArrayMode(
1690                 node->arrayMode().refine(
1691                     m_graph, node,
1692                     node->child1()->prediction(),
1693                     node->child2()->prediction(),
1694                     SpecNone));
1695             
1696             blessArrayOperation(node->child1(), node->child2(), node->child3());
1697             fixEdge<CellUse>(node->child1());
1698             fixEdge<KnownInt32Use>(node->child2());
1699             break;
1700         }
1701         case GetDirectPname: {
1702             Edge& base = m_graph.varArgChild(node, 0);
1703             Edge& property = m_graph.varArgChild(node, 1);
1704             Edge& index = m_graph.varArgChild(node, 2);
1705             Edge& enumerator = m_graph.varArgChild(node, 3);
1706             fixEdge<CellUse>(base);
1707             fixEdge<KnownCellUse>(property);
1708             fixEdge<KnownInt32Use>(index);
1709             fixEdge<KnownCellUse>(enumerator);
1710             break;
1711         }
1712         case GetPropertyEnumerator: {
1713             fixEdge<CellUse>(node->child1());
1714             break;
1715         }
1716         case GetEnumeratorStructurePname: {
1717             fixEdge<KnownCellUse>(node->child1());
1718             fixEdge<KnownInt32Use>(node->child2());
1719             break;
1720         }
1721         case GetEnumeratorGenericPname: {
1722             fixEdge<KnownCellUse>(node->child1());
1723             fixEdge<KnownInt32Use>(node->child2());
1724             break;
1725         }
1726         case ToIndexString: {
1727             fixEdge<KnownInt32Use>(node->child1());
1728             break;
1729         }
1730         case ProfileType: {
1731             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1732             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1733             // type T for the instructionTypeSet, the global type set must also have information for type T.
1734             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1735             // in the globalTypeSet would've also succeeded.
1736             // (The other direction does not hold in general).
1737
1738             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1739             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1740             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1741                 if (node->child1()->shouldSpeculateInt32()) {
1742                     fixEdge<Int32Use>(node->child1());
1743                     node->remove();
1744                     break;
1745                 }
1746
1747                 if (enableInt52()) {
1748                     fixEdge<AnyIntUse>(node->child1());
1749                     node->remove();
1750                     break;
1751                 }
1752
1753                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1754             }
1755
1756             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1757                 fixEdge<NumberUse>(node->child1());
1758                 node->remove();
1759             } else if (typeSet->doesTypeConformTo(TypeString)) {
1760                 fixEdge<StringUse>(node->child1());
1761                 node->remove();
1762             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1763                 fixEdge<BooleanUse>(node->child1());
1764                 node->remove();
1765             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1766                 fixEdge<OtherUse>(node->child1());
1767                 node->remove();
1768             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1769                 StructureSet set;
1770                 {
1771                     ConcurrentJSLocker locker(typeSet->m_lock);
1772                     set = typeSet->structureSet(locker);
1773                 }
1774                 if (!set.isEmpty()) {
1775                     fixEdge<CellUse>(node->child1());
1776                     node->convertToCheckStructure(m_graph.addStructureSet(set));
1777                 }
1778             }
1779
1780             break;
1781         }
1782
1783         case CreateClonedArguments: {
1784             watchHavingABadTime(node);
1785             break;
1786         }
1787
1788         case CreateScopedArguments:
1789         case CreateActivation:
1790         case NewFunction:
1791         case NewGeneratorFunction:
1792         case NewAsyncGeneratorFunction:
1793         case NewAsyncFunction: {
1794             // Child 1 is always the current scope, which is guaranteed to be an object
1795             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1796             fixEdge<KnownCellUse>(node->child1());
1797             break;
1798         }
1799
1800         case PushWithScope: {
1801             // Child 1 is always the current scope, which is guaranteed to be an object
1802             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1803             fixEdge<KnownCellUse>(node->child1());
1804             if (node->child2()->shouldSpeculateObject())
1805                 fixEdge<ObjectUse>(node->child2());
1806             break;
1807         }
1808
1809         case SetFunctionName: {
1810             // The first child is guaranteed to be a cell because op_set_function_name is only used
1811             // on a newly instantiated function object (the first child).
1812             fixEdge<KnownCellUse>(node->child1());
1813             fixEdge<UntypedUse>(node->child2());
1814             break;
1815         }
1816
1817         case CreateRest: {
1818             watchHavingABadTime(node);
1819             fixEdge<KnownInt32Use>(node->child1());
1820             break;
1821         }
1822
1823         case ResolveScopeForHoistingFuncDeclInEval: {
1824             fixEdge<KnownCellUse>(node->child1());
1825             break;
1826         }
1827         case ResolveScope:
1828         case GetDynamicVar:
1829         case PutDynamicVar: {
1830             fixEdge<KnownCellUse>(node->child1());
1831             break;
1832         }
1833
1834         case LogShadowChickenPrologue: {
1835             fixEdge<KnownCellUse>(node->child1());
1836             break;
1837         }
1838         case LogShadowChickenTail: {
1839             fixEdge<UntypedUse>(node->child1());
1840             fixEdge<KnownCellUse>(node->child2());
1841             break;
1842         }
1843
1844         case GetMapBucket:
1845             if (node->child1().useKind() == MapObjectUse)
1846                 fixEdge<MapObjectUse>(node->child1());
1847             else if (node->child1().useKind() == SetObjectUse)
1848                 fixEdge<SetObjectUse>(node->child1());
1849             else
1850                 RELEASE_ASSERT_NOT_REACHED();
1851
1852 #if USE(JSVALUE64)
1853             if (node->child2()->shouldSpeculateBoolean())
1854                 fixEdge<BooleanUse>(node->child2());
1855             else if (node->child2()->shouldSpeculateInt32())
1856                 fixEdge<Int32Use>(node->child2());
1857             else if (node->child2()->shouldSpeculateSymbol())
1858                 fixEdge<SymbolUse>(node->child2());
1859             else if (node->child2()->shouldSpeculateObject())
1860                 fixEdge<ObjectUse>(node->child2());
1861             else if (node->child2()->shouldSpeculateString())
1862                 fixEdge<StringUse>(node->child2());
1863             else if (node->child2()->shouldSpeculateCell())
1864                 fixEdge<CellUse>(node->child2());
1865             else
1866                 fixEdge<UntypedUse>(node->child2());
1867 #else
1868             fixEdge<UntypedUse>(node->child2());
1869 #endif // USE(JSVALUE64)
1870
1871             fixEdge<Int32Use>(node->child3());
1872             break;
1873
1874         case GetMapBucketHead:
1875             if (node->child1().useKind() == MapObjectUse)
1876                 fixEdge<MapObjectUse>(node->child1());
1877             else if (node->child1().useKind() == SetObjectUse)
1878                 fixEdge<SetObjectUse>(node->child1());
1879             else
1880                 RELEASE_ASSERT_NOT_REACHED();
1881             break;
1882
1883         case GetMapBucketNext:
1884         case LoadKeyFromMapBucket:
1885         case LoadValueFromMapBucket:
1886             fixEdge<CellUse>(node->child1());
1887             break;
1888
1889         case MapHash: {
1890 #if USE(JSVALUE64)
1891             if (node->child1()->shouldSpeculateBoolean()) {
1892                 fixEdge<BooleanUse>(node->child1());
1893                 break;
1894             }
1895
1896             if (node->child1()->shouldSpeculateInt32()) {
1897                 fixEdge<Int32Use>(node->child1());
1898                 break;
1899             }
1900
1901             if (node->child1()->shouldSpeculateSymbol()) {
1902                 fixEdge<SymbolUse>(node->child1());
1903                 break;
1904             }
1905
1906             if (node->child1()->shouldSpeculateObject()) {
1907                 fixEdge<ObjectUse>(node->child1());
1908                 break;
1909             }
1910
1911             if (node->child1()->shouldSpeculateString()) {
1912                 fixEdge<StringUse>(node->child1());
1913                 break;
1914             }
1915
1916             if (node->child1()->shouldSpeculateCell()) {
1917                 fixEdge<CellUse>(node->child1());
1918                 break;
1919             }
1920
1921             fixEdge<UntypedUse>(node->child1());
1922 #else
1923             fixEdge<UntypedUse>(node->child1());
1924 #endif // USE(JSVALUE64)
1925             break;
1926         }
1927
1928         case WeakMapGet: {
1929             fixEdge<WeakMapObjectUse>(node->child1());
1930             fixEdge<ObjectUse>(node->child2());
1931             fixEdge<Int32Use>(node->child3());
1932             break;
1933         }
1934
1935         case DefineDataProperty: {
1936             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1937             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1938             if (propertyEdge->shouldSpeculateSymbol())
1939                 fixEdge<SymbolUse>(propertyEdge);
1940             else if (propertyEdge->shouldSpeculateStringIdent())
1941                 fixEdge<StringIdentUse>(propertyEdge);
1942             else if (propertyEdge->shouldSpeculateString())
1943                 fixEdge<StringUse>(propertyEdge);
1944             else
1945                 fixEdge<UntypedUse>(propertyEdge);
1946             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
1947             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
1948             break;
1949         }
1950
1951         case ToLowerCase: {
1952             // We currently only support StringUse since that will ensure that
1953             // ToLowerCase is a pure operation. If we decide to update this with
1954             // more types in the future, we need to ensure that the clobberize rules
1955             // are correct.
1956             fixEdge<StringUse>(node->child1());
1957             break;
1958         }
1959
1960         case NumberToStringWithRadix: {
1961             if (node->child1()->shouldSpeculateInt32())
1962                 fixEdge<Int32Use>(node->child1());
1963             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
1964                 fixEdge<Int52RepUse>(node->child1());
1965             else
1966                 fixEdge<DoubleRepUse>(node->child1());
1967             fixEdge<Int32Use>(node->child2());
1968             break;
1969         }
1970
1971         case DefineAccessorProperty: {
1972             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1973             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1974             if (propertyEdge->shouldSpeculateSymbol())
1975                 fixEdge<SymbolUse>(propertyEdge);
1976             else if (propertyEdge->shouldSpeculateStringIdent())
1977                 fixEdge<StringIdentUse>(propertyEdge);
1978             else if (propertyEdge->shouldSpeculateString())
1979                 fixEdge<StringUse>(propertyEdge);
1980             else
1981                 fixEdge<UntypedUse>(propertyEdge);
1982             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
1983             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
1984             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
1985             break;
1986         }
1987
1988         case CheckSubClass: {
1989             fixupCheckSubClass(node);
1990             break;
1991         }
1992
1993         case CallDOMGetter: {
1994             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
1995             fixEdge<CellUse>(node->child1()); // DOM.
1996             if (snippet && snippet->requireGlobalObject)
1997                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
1998             break;
1999         }
2000
2001         case CallDOM: {
2002             fixupCallDOM(node);
2003             break;
2004         }
2005
2006         case Call: {
2007             attemptToMakeCallDOM(node);
2008             break;
2009         }
2010
2011         case ParseInt: {
2012             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2013                 fixEdge<Int32Use>(node->child1());
2014                 node->convertToIdentity();
2015                 break;
2016             }
2017
2018             if (node->child1()->shouldSpeculateString()) {
2019                 fixEdge<StringUse>(node->child1());
2020                 node->clearFlags(NodeMustGenerate);
2021             }
2022
2023             if (node->child2())
2024                 fixEdge<Int32Use>(node->child2());
2025
2026             break;
2027         }
2028
2029         case IdentityWithProfile: {
2030             node->clearFlags(NodeMustGenerate);
2031             break;
2032         }
2033
2034         case ThrowStaticError:
2035             fixEdge<StringUse>(node->child1());
2036             break;
2037
2038 #if !ASSERT_DISABLED
2039         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2040         case SetArgument:
2041         case JSConstant:
2042         case LazyJSConstant:
2043         case DoubleConstant:
2044         case GetLocal:
2045         case GetCallee:
2046         case GetArgumentCountIncludingThis:
2047         case GetRestLength:
2048         case GetArgument:
2049         case Flush:
2050         case PhantomLocal:
2051         case GetLocalUnlinked:
2052         case GetGlobalVar:
2053         case GetGlobalLexicalVariable:
2054         case NotifyWrite:
2055         case DirectCall:
2056         case CheckTypeInfoFlags:
2057         case TailCallInlinedCaller:
2058         case DirectTailCallInlinedCaller:
2059         case Construct:
2060         case DirectConstruct:
2061         case CallVarargs:
2062         case CallEval:
2063         case TailCallVarargsInlinedCaller:
2064         case ConstructVarargs:
2065         case CallForwardVarargs:
2066         case ConstructForwardVarargs:
2067         case TailCallForwardVarargs:
2068         case TailCallForwardVarargsInlinedCaller:
2069         case LoadVarargs:
2070         case ForwardVarargs:
2071         case ProfileControlFlow:
2072         case NewObject:
2073         case NewRegexp:
2074         case DeleteById:
2075         case DeleteByVal:
2076         case IsTypedArrayView:
2077         case IsEmpty:
2078         case IsUndefined:
2079         case IsBoolean:
2080         case IsNumber:
2081         case IsObjectOrNull:
2082         case IsFunction:
2083         case CreateDirectArguments:
2084         case Jump:
2085         case Return:
2086         case TailCall:
2087         case DirectTailCall:
2088         case TailCallVarargs:
2089         case Throw:
2090         case CountExecution:
2091         case ForceOSRExit:
2092         case CheckBadCell:
2093         case CheckNotEmpty:
2094         case CheckTraps:
2095         case Unreachable:
2096         case ExtractOSREntryLocal:
2097         case ExtractCatchLocal:
2098         case LoopHint:
2099         case MovHint:
2100         case InitializeEntrypointArguments:
2101         case ZombieHint:
2102         case ExitOK:
2103         case BottomValue:
2104         case TypeOf:
2105         case PutByIdWithThis:
2106         case PutByValWithThis:
2107         case GetByValWithThis:
2108         case CompareEqPtr:
2109         case NumberToStringWithValidRadixConstant:
2110         case GetGlobalThis:
2111             break;
2112 #else
2113         default:
2114             break;
2115 #endif
2116         }
2117     }
2118
2119     void watchHavingABadTime(Node* node)
2120     {
2121         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2122
2123         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2124         // does an array allocation. The types of array allocations may change if we start to have a bad
2125         // time. It's easier to reason about this if we know that whenever the types change after we start
2126         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2127         // prior to this point nobody should have been doing optimizations based on the indexing type of
2128         // the allocation.
2129         if (!globalObject->isHavingABadTime()) {
2130             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2131             m_graph.freeze(globalObject);
2132         }
2133     }
2134     
2135     template<UseKind useKind>
2136     void createToString(Node* node, Edge& edge)
2137     {
2138         Node* toString = m_insertionSet.insertNode(
2139             m_indexInBlock, SpecString, ToString, node->origin,
2140             Edge(edge.node(), useKind));
2141         switch (useKind) {
2142         case Int32Use:
2143         case Int52RepUse:
2144         case DoubleRepUse:
2145         case NotCellUse:
2146             toString->clearFlags(NodeMustGenerate);
2147             break;
2148         default:
2149             break;
2150         }
2151         edge.setNode(toString);
2152     }
2153     
2154     template<UseKind useKind>
2155     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2156     {
2157         ASSERT(arrayMode == ArrayMode(Array::Generic));
2158         
2159         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2160             return;
2161         
2162         createToString<useKind>(node, node->child1());
2163         arrayMode = ArrayMode(Array::String);
2164     }
2165     
2166     template<UseKind useKind>
2167     bool isStringObjectUse()
2168     {
2169         switch (useKind) {
2170         case StringObjectUse:
2171         case StringOrStringObjectUse:
2172             return true;
2173         default:
2174             return false;
2175         }
2176     }
2177     
2178     template<UseKind useKind>
2179     void convertStringAddUse(Node* node, Edge& edge)
2180     {
2181         if (useKind == StringUse) {
2182             observeUseKindOnNode<StringUse>(edge.node());
2183             m_insertionSet.insertNode(
2184                 m_indexInBlock, SpecNone, Check, node->origin,
2185                 Edge(edge.node(), StringUse));
2186             edge.setUseKind(KnownStringUse);
2187             return;
2188         }
2189         
2190         observeUseKindOnNode<useKind>(edge.node());
2191         createToString<useKind>(node, edge);
2192     }
2193     
2194     void convertToMakeRope(Node* node)
2195     {
2196         node->setOpAndDefaultFlags(MakeRope);
2197         fixupMakeRope(node);
2198     }
2199     
2200     void fixupMakeRope(Node* node)
2201     {
2202         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2203             Edge& edge = node->children.child(i);
2204             if (!edge)
2205                 break;
2206             edge.setUseKind(KnownStringUse);
2207             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2208             if (!string)
2209                 continue;
2210             if (string->length())
2211                 continue;
2212             
2213             // Don't allow the MakeRope to have zero children.
2214             if (!i && !node->child2())
2215                 break;
2216             
2217             node->children.removeEdge(i--);
2218         }
2219         
2220         if (!node->child2()) {
2221             ASSERT(!node->child3());
2222             node->convertToIdentity();
2223         }
2224     }
2225
2226     void fixupIsCellWithType(Node* node)
2227     {
2228         switch (node->speculatedTypeForQuery()) {
2229         case SpecString:
2230             if (node->child1()->shouldSpeculateString()) {
2231                 m_insertionSet.insertNode(
2232                     m_indexInBlock, SpecNone, Check, node->origin,
2233                     Edge(node->child1().node(), StringUse));
2234                 m_graph.convertToConstant(node, jsBoolean(true));
2235                 observeUseKindOnNode<StringUse>(node);
2236                 return;
2237             }
2238             break;
2239
2240         case SpecProxyObject:
2241             if (node->child1()->shouldSpeculateProxyObject()) {
2242                 m_insertionSet.insertNode(
2243                     m_indexInBlock, SpecNone, Check, node->origin,
2244                     Edge(node->child1().node(), ProxyObjectUse));
2245                 m_graph.convertToConstant(node, jsBoolean(true));
2246                 observeUseKindOnNode<ProxyObjectUse>(node);
2247                 return;
2248             }
2249             break;
2250
2251         case SpecRegExpObject:
2252             if (node->child1()->shouldSpeculateRegExpObject()) {
2253                 m_insertionSet.insertNode(
2254                     m_indexInBlock, SpecNone, Check, node->origin,
2255                     Edge(node->child1().node(), RegExpObjectUse));
2256                 m_graph.convertToConstant(node, jsBoolean(true));
2257                 observeUseKindOnNode<RegExpObjectUse>(node);
2258                 return;
2259             }
2260             break;
2261
2262         case SpecArray:
2263             if (node->child1()->shouldSpeculateArray()) {
2264                 m_insertionSet.insertNode(
2265                     m_indexInBlock, SpecNone, Check, node->origin,
2266                     Edge(node->child1().node(), ArrayUse));
2267                 m_graph.convertToConstant(node, jsBoolean(true));
2268                 observeUseKindOnNode<ArrayUse>(node);
2269                 return;
2270             }
2271             break;
2272
2273         case SpecDerivedArray:
2274             if (node->child1()->shouldSpeculateDerivedArray()) {
2275                 m_insertionSet.insertNode(
2276                     m_indexInBlock, SpecNone, Check, node->origin,
2277                     Edge(node->child1().node(), DerivedArrayUse));
2278                 m_graph.convertToConstant(node, jsBoolean(true));
2279                 observeUseKindOnNode<DerivedArrayUse>(node);
2280                 return;
2281             }
2282             break;
2283         }
2284
2285         if (node->child1()->shouldSpeculateCell()) {
2286             fixEdge<CellUse>(node->child1());
2287             return;
2288         }
2289
2290         if (node->child1()->shouldSpeculateNotCell()) {
2291             m_insertionSet.insertNode(
2292                 m_indexInBlock, SpecNone, Check, node->origin,
2293                 Edge(node->child1().node(), NotCellUse));
2294             m_graph.convertToConstant(node, jsBoolean(false));
2295             observeUseKindOnNode<NotCellUse>(node);
2296             return;
2297         }
2298     }
2299
2300     void fixupToThis(Node* node)
2301     {
2302         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2303
2304         if (ecmaMode == StrictMode) {
2305             if (node->child1()->shouldSpeculateBoolean()) {
2306                 fixEdge<BooleanUse>(node->child1());
2307                 node->convertToIdentity();
2308                 return;
2309             }
2310
2311             if (node->child1()->shouldSpeculateInt32()) {
2312                 fixEdge<Int32Use>(node->child1());
2313                 node->convertToIdentity();
2314                 return;
2315             }
2316
2317             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2318                 fixEdge<Int52RepUse>(node->child1());
2319                 node->convertToIdentity();
2320                 node->setResult(NodeResultInt52);
2321                 return;
2322             }
2323
2324             if (node->child1()->shouldSpeculateNumber()) {
2325                 fixEdge<DoubleRepUse>(node->child1());
2326                 node->convertToIdentity();
2327                 node->setResult(NodeResultDouble);
2328                 return;
2329             }
2330
2331             if (node->child1()->shouldSpeculateSymbol()) {
2332                 fixEdge<SymbolUse>(node->child1());
2333                 node->convertToIdentity();
2334                 return;
2335             }
2336
2337             if (node->child1()->shouldSpeculateStringIdent()) {
2338                 fixEdge<StringIdentUse>(node->child1());
2339                 node->convertToIdentity();
2340                 return;
2341             }
2342
2343             if (node->child1()->shouldSpeculateString()) {
2344                 fixEdge<StringUse>(node->child1());
2345                 node->convertToIdentity();
2346                 return;
2347             }
2348         }
2349
2350         if (node->child1()->shouldSpeculateOther()) {
2351             if (ecmaMode == StrictMode) {
2352                 fixEdge<OtherUse>(node->child1());
2353                 node->convertToIdentity();
2354                 return;
2355             }
2356
2357             m_insertionSet.insertNode(
2358                 m_indexInBlock, SpecNone, Check, node->origin,
2359                 Edge(node->child1().node(), OtherUse));
2360             observeUseKindOnNode<OtherUse>(node->child1().node());
2361             m_graph.convertToConstant(
2362                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2363             return;
2364         }
2365
2366         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2367         // however, since we cover all the missing cases in constant folding.
2368         // https://bugs.webkit.org/show_bug.cgi?id=157213
2369         if (node->child1()->shouldSpeculateStringObject()) {
2370             fixEdge<StringObjectUse>(node->child1());
2371             node->convertToIdentity();
2372             return;
2373         }
2374
2375         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2376             fixEdge<FinalObjectUse>(node->child1());
2377             node->convertToIdentity();
2378             return;
2379         }
2380     }
2381     
2382     void fixupToPrimitive(Node* node)
2383     {
2384         if (node->child1()->shouldSpeculateInt32()) {
2385             fixEdge<Int32Use>(node->child1());
2386             node->convertToIdentity();
2387             return;
2388         }
2389         
2390         if (node->child1()->shouldSpeculateString()) {
2391             fixEdge<StringUse>(node->child1());
2392             node->convertToIdentity();
2393             return;
2394         }
2395         
2396         if (node->child1()->shouldSpeculateStringObject()
2397             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2398             fixEdge<StringObjectUse>(node->child1());
2399             node->convertToToString();
2400             return;
2401         }
2402         
2403         if (node->child1()->shouldSpeculateStringOrStringObject()
2404             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2405             fixEdge<StringOrStringObjectUse>(node->child1());
2406             node->convertToToString();
2407             return;
2408         }
2409     }
2410
2411     void fixupToNumber(Node* node)
2412     {
2413         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2414         if (node->child1()->shouldSpeculateNumber()) {
2415             if (isInt32Speculation(node->getHeapPrediction())) {
2416                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2417                 if (node->child1()->shouldSpeculateInt32()) {
2418                     fixEdge<Int32Use>(node->child1());
2419                     node->convertToIdentity();
2420                     return;
2421                 }
2422
2423                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2424                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2425                 fixEdge<DoubleRepUse>(node->child1());
2426                 node->setOp(DoubleAsInt32);
2427                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2428                     node->setArithMode(Arith::CheckOverflow);
2429                 else
2430                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2431                 return;
2432             }
2433
2434             fixEdge<DoubleRepUse>(node->child1());
2435             node->convertToIdentity();
2436             node->setResult(NodeResultDouble);
2437             return;
2438         }
2439
2440         fixEdge<UntypedUse>(node->child1());
2441         node->setResult(NodeResultJS);
2442     }
2443     
2444     void fixupToStringOrCallStringConstructor(Node* node)
2445     {
2446         if (node->child1()->shouldSpeculateString()) {
2447             fixEdge<StringUse>(node->child1());
2448             node->convertToIdentity();
2449             return;
2450         }
2451         
2452         if (node->child1()->shouldSpeculateStringObject()
2453             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2454             fixEdge<StringObjectUse>(node->child1());
2455             return;
2456         }
2457         
2458         if (node->child1()->shouldSpeculateStringOrStringObject()
2459             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2460             fixEdge<StringOrStringObjectUse>(node->child1());
2461             return;
2462         }
2463         
2464         if (node->child1()->shouldSpeculateCell()) {
2465             fixEdge<CellUse>(node->child1());
2466             return;
2467         }
2468
2469         if (node->child1()->shouldSpeculateInt32()) {
2470             fixEdge<Int32Use>(node->child1());
2471             node->clearFlags(NodeMustGenerate);
2472             return;
2473         }
2474
2475         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2476             fixEdge<Int52RepUse>(node->child1());
2477             node->clearFlags(NodeMustGenerate);
2478             return;
2479         }
2480
2481         if (node->child1()->shouldSpeculateNumber()) {
2482             fixEdge<DoubleRepUse>(node->child1());
2483             node->clearFlags(NodeMustGenerate);
2484             return;
2485         }
2486
2487         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2488         // we need to care about it in the clobberize. In the following case,
2489         // since NotCellUse edge filter is used and this edge filters Symbols,
2490         // we can say that ToString never throws an error!
2491         if (node->child1()->shouldSpeculateNotCell()) {
2492             fixEdge<NotCellUse>(node->child1());
2493             node->clearFlags(NodeMustGenerate);
2494             return;
2495         }
2496     }
2497
2498     bool attemptToMakeFastStringAdd(Node* node)
2499     {
2500         bool goodToGo = true;
2501         m_graph.doToChildren(
2502             node,
2503             [&] (Edge& edge) {
2504                 if (edge->shouldSpeculateString())
2505                     return;
2506                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2507                     if (edge->shouldSpeculateStringObject())
2508                         return;
2509                     if (edge->shouldSpeculateStringOrStringObject())
2510                         return;
2511                 }
2512                 goodToGo = false;
2513             });
2514         if (!goodToGo)
2515             return false;
2516
2517         m_graph.doToChildren(
2518             node,
2519             [&] (Edge& edge) {
2520                 if (edge->shouldSpeculateString()) {
2521                     convertStringAddUse<StringUse>(node, edge);
2522                     return;
2523                 }
2524                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2525                 if (edge->shouldSpeculateStringObject()) {
2526                     convertStringAddUse<StringObjectUse>(node, edge);
2527                     return;
2528                 }
2529                 if (edge->shouldSpeculateStringOrStringObject()) {
2530                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2531                     return;
2532                 }
2533                 RELEASE_ASSERT_NOT_REACHED();
2534             });
2535         
2536         convertToMakeRope(node);
2537         return true;
2538     }
2539
2540     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2541     {
2542         if (!block)
2543             return;
2544         ASSERT(block->isReachable);
2545         m_block = block;
2546         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2547             Node* node = m_currentNode = block->at(m_indexInBlock);
2548             if (node->op() != SetLocal && node->op() != GetLocal)
2549                 continue;
2550             
2551             VariableAccessData* variable = node->variableAccessData();
2552             switch (node->op()) {
2553             case GetLocal:
2554                 switch (variable->flushFormat()) {
2555                 case FlushedDouble:
2556                     node->setResult(NodeResultDouble);
2557                     break;
2558                 case FlushedInt52:
2559                     node->setResult(NodeResultInt52);
2560                     break;
2561                 default:
2562                     break;
2563                 }
2564                 break;
2565                 
2566             case SetLocal:
2567                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2568                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2569                 
2570                 switch (variable->flushFormat()) {
2571                 case FlushedJSValue:
2572                     break;
2573                 case FlushedDouble:
2574                     fixEdge<DoubleRepUse>(node->child1());
2575                     break;
2576                 case FlushedInt32:
2577                     fixEdge<Int32Use>(node->child1());
2578                     break;
2579                 case FlushedInt52:
2580                     fixEdge<Int52RepUse>(node->child1());
2581                     break;
2582                 case FlushedCell:
2583                     fixEdge<CellUse>(node->child1());
2584                     break;
2585                 case FlushedBoolean:
2586                     fixEdge<BooleanUse>(node->child1());
2587                     break;
2588                 default:
2589                     RELEASE_ASSERT_NOT_REACHED();
2590                     break;
2591                 }
2592                 break;
2593                 
2594             default:
2595                 RELEASE_ASSERT_NOT_REACHED();
2596                 break;
2597             }
2598         }
2599         m_insertionSet.execute(block);
2600     }
2601     
2602     void addStringReplacePrimordialChecks(Node* searchRegExp)
2603     {
2604         Node* node = m_currentNode;
2605
2606         // Check that structure of searchRegExp is RegExp object
2607         m_insertionSet.insertNode(
2608             m_indexInBlock, SpecNone, Check, node->origin,
2609             Edge(searchRegExp, RegExpObjectUse));
2610
2611         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2612             unsigned index = m_graph.identifiers().ensure(propertyUID);
2613
2614             Node* actualProperty = m_insertionSet.insertNode(
2615                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2616                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2617
2618             m_insertionSet.insertNode(
2619                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2620                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2621         };
2622
2623         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2624
2625         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2626         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2627         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2628         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2629         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2630         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2631         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2632         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2633     }
2634
2635     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2636     {
2637         ASSERT(arrayMode.isSpecific());
2638         
2639         if (arrayMode.type() == Array::String) {
2640             m_insertionSet.insertNode(
2641                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2642         } else {
2643             // Note that we only need to be using a structure check if we opt for SaneChain, since
2644             // that needs to protect against JSArray's __proto__ being changed.
2645             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2646         
2647             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2648             
2649             if (arrayMode.doesConversion()) {
2650                 if (structure) {
2651                     m_insertionSet.insertNode(
2652                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2653                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2654                 } else {
2655                     m_insertionSet.insertNode(
2656                         m_indexInBlock, SpecNone, Arrayify, origin,
2657                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2658                 }
2659             } else {
2660                 if (structure) {
2661                     m_insertionSet.insertNode(
2662                         m_indexInBlock, SpecNone, CheckStructure, origin,
2663                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2664                 } else {
2665                     m_insertionSet.insertNode(
2666                         m_indexInBlock, SpecNone, CheckArray, origin,
2667                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2668                 }
2669             }
2670         }
2671         
2672         if (!storageCheck(arrayMode))
2673             return nullptr;
2674         
2675         if (arrayMode.usesButterfly()) {
2676             return m_insertionSet.insertNode(
2677                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2678         }
2679         
2680         return m_insertionSet.insertNode(
2681             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2682             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2683     }
2684     
2685     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2686     {
2687         Node* node = m_currentNode;
2688         
2689         switch (node->arrayMode().type()) {
2690         case Array::ForceExit: {
2691             m_insertionSet.insertNode(
2692                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
2693             return;
2694         }
2695             
2696         case Array::SelectUsingPredictions:
2697         case Array::Unprofiled:
2698             RELEASE_ASSERT_NOT_REACHED();
2699             return;
2700             
2701         case Array::Generic:
2702             return;
2703             
2704         default: {
2705             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
2706             if (!storage)
2707                 return;
2708             
2709             storageChild = Edge(storage);
2710             return;
2711         } }
2712     }
2713     
2714     bool alwaysUnboxSimplePrimitives()
2715     {
2716 #if USE(JSVALUE64)
2717         return false;
2718 #else
2719         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
2720         // reduces traffic.
2721         return true;
2722 #endif
2723     }
2724
2725     template<UseKind useKind>
2726     void observeUseKindOnNode(Node* node)
2727     {
2728         if (useKind == UntypedUse)
2729             return;
2730         observeUseKindOnNode(node, useKind);
2731     }
2732
2733     void observeUseKindOnEdge(Edge edge)
2734     {
2735         observeUseKindOnNode(edge.node(), edge.useKind());
2736     }
2737
2738     void observeUseKindOnNode(Node* node, UseKind useKind)
2739     {
2740         if (node->op() != GetLocal)
2741             return;
2742         
2743         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
2744         // https://bugs.webkit.org/show_bug.cgi?id=121518
2745         
2746         VariableAccessData* variable = node->variableAccessData();
2747         switch (useKind) {
2748         case Int32Use:
2749         case KnownInt32Use:
2750             if (alwaysUnboxSimplePrimitives()
2751                 || isInt32Speculation(variable->prediction()))
2752                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2753             break;
2754         case NumberUse:
2755         case RealNumberUse:
2756         case DoubleRepUse:
2757         case DoubleRepRealUse:
2758             if (variable->doubleFormatState() == UsingDoubleFormat)
2759                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2760             break;
2761         case BooleanUse:
2762         case KnownBooleanUse:
2763             if (alwaysUnboxSimplePrimitives()
2764                 || isBooleanSpeculation(variable->prediction()))
2765                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2766             break;
2767         case Int52RepUse:
2768             if (isAnyIntSpeculation(variable->prediction()))
2769                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2770             break;
2771         case CellUse:
2772         case KnownCellUse:
2773         case ObjectUse:
2774         case FunctionUse:
2775         case StringUse:
2776         case KnownStringUse:
2777         case SymbolUse:
2778         case StringObjectUse:
2779         case StringOrStringObjectUse:
2780             if (alwaysUnboxSimplePrimitives()
2781                 || isCellSpeculation(variable->prediction()))
2782                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2783             break;
2784         default:
2785             break;
2786         }
2787     }
2788     
2789     template<UseKind useKind>
2790     void fixEdge(Edge& edge)
2791     {
2792         observeUseKindOnNode<useKind>(edge.node());
2793         edge.setUseKind(useKind);
2794     }
2795     
2796     unsigned indexForChecks()
2797     {
2798         unsigned index = m_indexInBlock;
2799         while (!m_block->at(index)->origin.exitOK)
2800             index--;
2801         return index;
2802     }
2803     
2804     NodeOrigin originForCheck(unsigned index)
2805     {
2806         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
2807     }
2808     
2809     void speculateForBarrier(Edge value)
2810     {
2811         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
2812         // the DFG anyway because if such a speculation would be wrong, we want to know before
2813         // we do an expensive compile.
2814         
2815         if (value->shouldSpeculateInt32()) {
2816             insertCheck<Int32Use>(value.node());
2817             return;
2818         }
2819             
2820         if (value->shouldSpeculateBoolean()) {
2821             insertCheck<BooleanUse>(value.node());
2822             return;
2823         }
2824             
2825         if (value->shouldSpeculateOther()) {
2826             insertCheck<OtherUse>(value.node());
2827             return;
2828         }
2829             
2830         if (value->shouldSpeculateNumber()) {
2831             insertCheck<NumberUse>(value.node());
2832             return;
2833         }
2834             
2835         if (value->shouldSpeculateNotCell()) {
2836             insertCheck<NotCellUse>(value.node());
2837             return;
2838         }
2839     }
2840     
2841     template<UseKind useKind>
2842     void insertCheck(Node* node)
2843     {
2844         observeUseKindOnNode<useKind>(node);
2845         unsigned index = indexForChecks();
2846         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
2847     }
2848
2849     void fixIntConvertingEdge(Edge& edge)
2850     {
2851         Node* node = edge.node();
2852         if (node->shouldSpeculateInt32OrBoolean()) {
2853             fixIntOrBooleanEdge(edge);
2854             return;
2855         }
2856         
2857         UseKind useKind;
2858         if (node->shouldSpeculateAnyInt())
2859             useKind = Int52RepUse;
2860         else if (node->shouldSpeculateNumber())
2861             useKind = DoubleRepUse;
2862         else
2863             useKind = NotCellUse;
2864         Node* newNode = m_insertionSet.insertNode(
2865             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
2866             Edge(node, useKind));
2867         observeUseKindOnNode(node, useKind);
2868         
2869         edge = Edge(newNode, KnownInt32Use);
2870     }
2871     
2872     void fixIntOrBooleanEdge(Edge& edge)
2873     {
2874         Node* node = edge.node();
2875         if (!node->sawBooleans()) {
2876             fixEdge<Int32Use>(edge);
2877             return;
2878         }
2879         
2880         UseKind useKind;
2881         if (node->shouldSpeculateBoolean())
2882             useKind = BooleanUse;
2883         else
2884             useKind = UntypedUse;
2885         Node* newNode = m_insertionSet.insertNode(
2886             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
2887             Edge(node, useKind));
2888         observeUseKindOnNode(node, useKind);
2889         
2890         edge = Edge(newNode, Int32Use);
2891     }
2892     
2893     void fixDoubleOrBooleanEdge(Edge& edge)
2894     {
2895         Node* node = edge.node();
2896         if (!node->sawBooleans()) {
2897             fixEdge<DoubleRepUse>(edge);
2898             return;
2899         }
2900         
2901         UseKind useKind;
2902         if (node->shouldSpeculateBoolean())
2903             useKind = BooleanUse;
2904         else
2905             useKind = UntypedUse;
2906         Node* newNode = m_insertionSet.insertNode(
2907             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
2908             Edge(node, useKind));
2909         observeUseKindOnNode(node, useKind);
2910         
2911         edge = Edge(newNode, DoubleRepUse);
2912     }
2913     
2914     void truncateConstantToInt32(Edge& edge)
2915     {
2916         Node* oldNode = edge.node();
2917         
2918         JSValue value = oldNode->asJSValue();
2919         if (value.isInt32())
2920             return;
2921         
2922         value = jsNumber(JSC::toInt32(value.asNumber()));
2923         ASSERT(value.isInt32());
2924         edge.setNode(m_insertionSet.insertNode(
2925             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
2926             OpInfo(m_graph.freeze(value))));
2927     }
2928     
2929     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
2930     {
2931         if (mode != SpeculateInt32AndTruncateConstants)
2932             return;
2933         
2934         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
2935         if (node->child1()->hasConstant())
2936             truncateConstantToInt32(node->child1());
2937         else
2938             truncateConstantToInt32(node->child2());
2939     }
2940
2941     bool attemptToMakeIntegerAdd(Node* node)
2942     {
2943         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
2944         if (mode != DontSpeculateInt32) {
2945             truncateConstantsIfNecessary(node, mode);
2946             fixIntOrBooleanEdge(node->child1());
2947             fixIntOrBooleanEdge(node->child2());
2948             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
2949                 node->setArithMode(Arith::Unchecked);
2950             else
2951                 node->setArithMode(Arith::CheckOverflow);
2952             return true;
2953         }
2954         
2955         if (m_graph.addShouldSpeculateAnyInt(node)) {
2956             fixEdge<Int52RepUse>(node->child1());
2957             fixEdge<Int52RepUse>(node->child2());
2958             node->setArithMode(Arith::CheckOverflow);
2959             node->setResult(NodeResultInt52);
2960             return true;
2961         }
2962         
2963         return false;
2964     }
2965     
2966     bool attemptToMakeGetArrayLength(Node* node)
2967     {
2968         if (!isInt32Speculation(node->prediction()))
2969             return false;
2970         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
2971         ArrayProfile* arrayProfile = 
2972             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
2973         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions);
2974         if (arrayProfile) {
2975             ConcurrentJSLocker locker(profiledBlock->m_lock);
2976             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
2977             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
2978             if (arrayMode.type() == Array::Unprofiled) {
2979                 // For normal array operations, it makes sense to treat Unprofiled
2980                 // accesses as ForceExit and get more data rather than using
2981                 // predictions and then possibly ending up with a Generic. But here,
2982                 // we treat anything that is Unprofiled as Generic and keep the
2983                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
2984                 // profit - from treating the Unprofiled case as
2985                 // SelectUsingPredictions.
2986                 arrayMode = ArrayMode(Array::SelectUsingPredictions);
2987             }
2988         }
2989             
2990         arrayMode = arrayMode.refine(
2991             m_graph, node, node->child1()->prediction(), node->prediction());
2992             
2993         if (arrayMode.type() == Array::Generic) {
2994             // Check if the input is something that we can't get array length for, but for which we
2995             // could insert some conversions in order to transform it into something that we can do it
2996             // for.
2997             if (node->child1()->shouldSpeculateStringObject())
2998                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
2999             else if (node->child1()->shouldSpeculateStringOrStringObject())
3000                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
3001         }
3002             
3003         if (!arrayMode.supportsSelfLength())
3004             return false;
3005         
3006         convertToGetArrayLength(node, arrayMode);
3007         return true;
3008     }
3009
3010     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
3011     {
3012         node->setOp(GetArrayLength);
3013         node->clearFlags(NodeMustGenerate);
3014         fixEdge<KnownCellUse>(node->child1());
3015         node->setArrayMode(arrayMode);
3016             
3017         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
3018         if (!storage)
3019             return;
3020             
3021         node->child2() = Edge(storage);
3022     }
3023     
3024     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
3025     {
3026         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
3027         return m_insertionSet.insertNode(
3028             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
3029             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
3030     }
3031
3032     void convertToHasIndexedProperty(Node* node)
3033     {
3034         node->setOp(HasIndexedProperty);
3035         node->clearFlags(NodeMustGenerate);
3036         node->setArrayMode(
3037             node->arrayMode().refine(
3038                 m_graph, node,
3039                 node->child1()->prediction(),
3040                 node->child2()->prediction(),
3041                 SpecNone));
3042         node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
3043
3044         blessArrayOperation(node->child1(), node->child2(), node->child3());
3045
3046         fixEdge<CellUse>(node->child1());
3047         fixEdge<Int32Use>(node->child2());
3048     }
3049
3050     bool attemptToMakeCallDOM(Node* node)
3051     {
3052         if (m_graph.hasExitSite(node->origin.semantic, BadType))
3053             return false;
3054
3055         const DOMJIT::Signature* signature = node->signature();
3056         if (!signature)
3057             return false;
3058
3059         {
3060             unsigned index = 0;
3061             bool shouldConvertToCallDOM = true;
3062             m_graph.doToChildren(node, [&](Edge& edge) {
3063                 // Callee. Ignore this. DFGByteCodeParser already emit appropriate checks.
3064                 if (!index)
3065                     return;
3066
3067                 if (index == 1) {
3068                     // DOM node case.
3069                     if (edge->shouldSpeculateNotCell())
3070                         shouldConvertToCallDOM = false;
3071                 } else {
3072                     switch (signature->arguments[index - 2]) {
3073                     case SpecString:
3074                         if (edge->shouldSpeculateNotString())